Firewall commands

Firewall commands - vpngroup

New functionality has been added to implement the Point-to-Point Tunneling Protocol (PPTP) and Layer 2 Tunnelling Protocol ( L2TP) feature within virtual private dial-up network (VPDN) groups.
vpdn group group_name accept dialin [pptp | l2tp] vpdn group group_name l2tp tunnel hello [hello_timeout] vpdn group group_name client accounting [aaa_server_tag]

Implements support for the Cisco VPN 3000 Client. (Configuration mode.)
[no] vpngroup group_name address-pool ip pool name [no] vpngroup group_name default-domain domain_name [no] vpngroup group_name dns-server dns_ip_prim [dns_ip_sec] [no] vpngroup group_name idle-time idle_seconds [no] vpngroup group_name max-time max_seconds [no] vpngroup group_name password preshared_key [no] vpngroup group_name split-tunnel acl_name [no] vpngroup group_name wins-server wins_ip_prim[wins_ip_sec]

Syntax

accept dialin Accept PPTP or L2TP dial-in request.

group_name Specify the VPDN group name. The group_name is an ASCII string. You can make up the name. The maximum length of the name is 128 bytes.

pool_name IP address pool name.

dns_ip_prim IP address of the primary DNS server.

dns_ip_sec IP address of the secondary DNS server.

wins_ip_prim IP address of the primary WINS server.

wins_ip_sec IP address of the secondary WINS server.

domain_name Default domain name.

acl_name Name of the access-list to which to bind split-tunneling.

idle_seconds Inactivity timeout. Default is 1800 seconds or 30 minutes.

max_seconds Maximum connection time. Default is unlimited.

preshared_key The VPN group pre-share key.

vpdn group Identify the virtual private dial-up network group.

pptp | l2tp PPTP or L2TP protocol.

l2tp tunnel hello The L2TP keep-alive hello timeout value. Default is 60 seconds. Minimum is 10 seconds and maximum is 300 seconds.

hello_timeout Tunnel hello keep-alive message timeout period (in seconds).

client accounting
Generate an AAA accounting start and stop record for the L2TP (and PPTP) session.

aaa_server_tag Defined from the aaa-server command. Does not need to be the same server as the AAA authentication server.

Usage

Configure policy attributes to be downloaded to VPN clients that are part of a given group. The same VPN group name is configured in the Cisco VPN 3000 Client to ensure the matching of VPN client policy.
Configure IKE Mode Config prior to configuring support for the Cisco VPN 3000 Client. Specify that the firewall initiates the IKE Mode Config.
The firewall selects the VPN group name "default," if there is no other policy match. The default vpn group matches any group name.
The vpngroup address-pool command lets you define a pool of local addresses to be assigned to a VPN group.
Both the vpngroup address-pool command and the ip local pool command enable you to specify a pool of local addresses to be used for assigning dynamic ip addresses to remote VPN clients. In the case of the Cisco VPN 3000 Client, the specified pool of addresses is associated with a given group, which consists of Cisco VPN 3000 Client users. We recommend using the vpngroup address-pool command only if you will configure more than one pool of addresses to be used by more than one VPN user group. The vpngroup address-pool command gives the firewall added flexibility to configure different pools of local addresses for different user groups.
DNS Server

The vpngroup dns-server command enables the firewall to download an IP address of a DNS server to a Cisco VPN 3000 Client as part of an IKE negotiation.
WINS Server Domain

The vpngroup wins-server command lets the firewall download an IP address of a WINS server to a Cisco VPN 3000 Client as part of an IKE negotiation.
Default Domain

To enable the firewall to download a default domain name to a Cisco VPN 3000 Client as part of IKE negotiation, use vpngroup default-domain.
Split Tunnel

Use the vpngroup split-tunnel command to enable split tunneling on the firewall. Split tunneling allows a remote VPN client simultaneous encrypted access to the corporate network and clear access to the Internet. Using the vpngroup split-tunnel command, specify the access-list name to which to associate the split tunnelling of traffic. With split tunnelling enabled, the firewall downloads its local network IP address and netmask specified within the associated access-list to the VPN client as part of the policy push to the client. In turn, the VPN client sends the traffic destined to the specified local firewall network via an IPSec tunnel and all other traffic in the clear. The firewall receives the IPSec-protected packet on its outside interface, decrypts it, and then sends it to its specified local network.
If you do not enable split tunneling, all traffic between the VPN client and the firewall is sent through an IPSec tunnel. All traffic originating from the VPN client is sent to the firewall's outside interface through a tunnel, and the client's access to the Internet from its remote site is denied.
Regardless of whether split tunneling is enabled, the VPN client negotiates an IPSec tunnel to the firewall unit's IP address with a netmask of 255.255.255.255.
Networks defined in access-list deny command statements are not pushed to the VPN client.
Idle Time

The vpngroup idle-time command sets the inactivity timeout for a Cisco VPN 3000 Client. When the inactivity timeout for all IPSec SAs have expired for a given VPN client, the tunnel is terminated. The default inactivity timeout is 30 minutes.
Max Time

The vpngroup max-time command sets the maximum connection time for a Cisco VPN 3000 Client. When the maximum connection time is reached for a given VPN client, the tunnel is terminated. This means the connection between the Cisco VPN 3000 Client and the firewall will have to be reestablished. The default maximum connection time is set to an unlimited amount of time.
The inactivity timeout specified with vpngroup idle-time and maximum connection time specified with the vpngroup max-time command for a given Cisco VPN 3000 Client take precedence over the commands used to set global lifetime timeouts. These commands are the isakmp policy lifetime and crypto map set security-association lifetime seconds commands.
Passwords

To configure the VPN group's pre-share key employing the vpngroup password command to be used during IKE authentication. This pre-shared key is equivalent to the password that you enter within the Group Password field of the Cisco VPN 3000 Client while configuring the group access information for a connection entry.
The firewall configured password displays in asterisks within the file configuration.
Both the vpngroup password command and the isakmp key address command let you specify a pre-shared key to be used for IKE authentication. We recommend that you use the vpngroup password command only if you plan to configure more than one VPN user group. The vpngroup password command gives the firewall added flexibility to configure different VPN user groups.

Examples

The following example show use of the vpngroup commands. The VPN client(s) within the VPN group named as "myVpnGroup" will be dynamically assigned one of the IP addresses from the pool of addresses ranging from 10.140.40.0 to 10.140.40.7. The policy attributes for the group "myVpnGroup" will be downloaded to a given VPN client during the policy push to the client. Split tunnelling is enabled. In the example, all traffic destined for the 10.130.38.0 255.255.255.0 firewall network from the VPN client will be IPSec protected.
access-list 90 permit ip 10.130.38.0 255.255.255.0 10.140.40.0 255.255.255.248 ip local pool vpnpool 10.140.40.1-10.140.40.7 crypto ipsec transform-set esp-sha esp-null esp-sha-hmac crypto dynamic-map dynmap 50 set transform-set esp-sha crypto map mapName 10 ipsec-isakmp dynamic dynmap crypto map mapName client configuration address initiate crypto map mapName interface outside isakmp enable outside isakmp identity hostname isakmp policy 7 authentication pre-share isakmp policy 7 encryption 3des isakmp policy 7 hash md5 isakmp policy 7 group 1 vpngroup myVpnGroup address-pool vpnpool vpngroup myVpnGroup dns-server 10.131.31.11 vpngroup myVpnGroup wins-server 10.131.31.11 vpngroup myVpnGroup default-domain example.com vpngroup myVpnGroup split-tunnel 90 vpngroup myVpnGroup idle-time 1800 vpngroup myVpnGroup max-time 86400 vpngroup myVpnGroup password ********

The following examples show different configurations of the vpdn group command with L2TP.
vpdn group 1 accept dialin 12tp vpdn group 1 12tp tunnel hello 60 vpdn group 1 client accounting myaaa

accept dialin	Accept PPTP or L2TP dial-in request.
group_name	Specify the VPDN group name. The group_name is an ASCII string. You can make up the name. The maximum length of the name is 128 bytes.
pool_name	IP address pool name.
dns_ip_prim	IP address of the primary DNS server.
dns_ip_sec	IP address of the secondary DNS server.
wins_ip_prim	IP address of the primary WINS server.
wins_ip_sec	IP address of the secondary WINS server.
domain_name	Default domain name.
acl_name	Name of the access-list to which to bind split-tunneling.
idle_seconds	Inactivity timeout. Default is 1800 seconds or 30 minutes.
max_seconds	Maximum connection time. Default is unlimited.
preshared_key	The VPN group pre-share key.
vpdn group	Identify the virtual private dial-up network group.
pptp \| l2tp	PPTP or L2TP protocol.
l2tp tunnel hello	The L2TP keep-alive hello timeout value. Default is 60 seconds. Minimum is 10 seconds and maximum is 300 seconds.
hello_timeout	Tunnel hello keep-alive message timeout period (in seconds).
client accounting	Generate an AAA accounting start and stop record for the L2TP (and PPTP) session.
aaa_server_tag	Defined from the aaa-server command. Does not need to be the same server as the AAA authentication server.